Data Processing Agreement

This Data Processing Agreement (hereinafter referred to as "DPA"), together with Terms and Conditions and Privacy Policy, forms the Agreement between:

• Client is defined as in Terms and Conditions (hereinafter referred to as "Controller" or "Business") and
• Spoks Technologies Inc., a Delaware C-Corporation with registered office 1111 B South Governors Ave, STE 29541, Dover, DE 19904 US, File number: 10178760 (hereinafter referred to as „Spoks", "Processor", „Data Processor" or "Service Provider").

Controller and Processor collectively hereinafter referred to as the "Parties" and each individually as the "Party"

This DPA applies to the extent Processor Processes Personal Data on behalf of the Controller in the course of providing the Services as defined in the Terms and Conditions.

The parties agree that:

• Under the GDPR, the Controller is the Data Controller and the Processor is the Data Processor;
• Under the CCPA/CPRA and similar U.S. laws, the Controller is the Business and the Processor is the Service Provider;
• Under other Applicable Data Protection Laws, roles are determined according to the specific definitions in such laws.

The Processor shall process Personal Data on behalf of the Controller solely for the purpose of enabling the Controller to manage, organize, and execute marketing activities such as newsletters, campaigns, and related communications with the Controller's customers and contacts.

The Processor shall not use the Personal Data for any independent purpose or outside the scope of the Controller's instructions.

The nature of the processing is predominantly automated and involves the handling of electronic Personal Data through the Processor's software platform and related infrastructure. The Processor may also process Personal Data manually where required for support, maintenance, or compliance activities.

The Processing shall be performed for the term of the Agreement and any applicable retention period thereafter.

• Processor shall process Personal Data solely on documented instructions from the Controller and exclusively for the purposes set forth in the Agreement and this Data Processing Agreement.
• The Processor shall not retain, use, or disclose Personal Data for any purpose other than providing the services agreed upon.
• The Processor shall not sell Personal Data.
• The Processor shall ensure that all personnel within its organization authorized to process Personal Data are bound by confidentiality obligations, whether by contract or statute and are granted access to Personal Data only to the extent necessary to properly perform their duties.
• Processor shall implement and maintain appropriate technical and organizational measures to ensure the security of Personal Data.

• Notify the Controller about a Personal Data Breach according to Section 8.
• At the Controller's choice, delete or return all Personal Data upon termination of the Agreement, unless legally required to retain it.
• Make available all information necessary to demonstrate compliance and allow audits under Section 9.
• The Processor shall promptly notify the Controller if it receives any legally binding requests from law enforcement or regulatory authorities for disclosure of Personal Data, unless prohibited by law.

• The Controller represents and warrants that it shall comply with all obligations applicable to it under Applicable Data Protection Law. This includes but is not limited to obtaining all necessary consents and having a lawful basis to collect and provide Personal Data to the Processor.
• The Controller is solely responsible for the legality of the data provided to Spoks.
• The Controller shall not instruct the Processor to perform any Processing that would violate applicable law.
• The Controller shall not use the Spoks Platform to process Personal Data for unlawful, discriminatory, or deceptive purposes, or in a way that infringes upon the rights and freedoms of data subjects.
• The Controller is solely responsible for ensuring that the Personal Data provided to Spoks is accurate, complete, and kept up to date. The Controller must notify the Processor promptly of any changes or corrections to the Personal Data that may affect Processing accuracy.
• The Controller shall provide instructions to the Processor regarding the Processing of Personal Data. The Processor shall be entitled to rely on the instructions provided through the Controller's use of the Spoks Platform, as configured by the Controller via the Processor's platform. If additional or conflicting instructions are issued, they must be provided in writing. The Controller acknowledges that changes to the instructions may impact the scope, pricing, or availability of services.
• The Controller is solely responsible for responding to Data Subject requests under Applicable Data Protection Law and determining the appropriate response to such requests.

The Controller shall promptly cooperate with the Processor in good faith to enable compliance with this DPA and all applicable laws, including but not limited to assisting with regulatory inquiries or data protection authority audits relating to Processing and investigations and responses to Personal Data breaches.

• Controller authorizes Processor to engage Sub-Processors for the purposes of providing the Services.
• Current Sub-Processors are listed in Annex II. Controller approves these Sub-Processors as of the Effective Date.
• The Processor may engage new Sub-processors by updating Annex II, providing 7 (seven) days prior written notice to the Controller.
• Processor shall enter into an agreement with each Sub-Processor containing equivalent obligations as those in this DPA, to ensure compliance with relevant data protection regulations.
• The data controller has the right to object to the appointment of new subprocessors, within 7 (seven) days.
• In the aforementioned circumstances, the Parties shall engage in good faith efforts to reach a mutually acceptable alternative. Should no consensus be reached and the Processor nevertheless proceeds with the engagement of the contested sub-processor, the Controller shall be entitled to terminate the Agreement by providing thirty (30) days' prior written notice. Such termination shall not constitute a breach of contract.

In the event of a Personal Data Breach, the Processor shall notify the Controller without undue delay and in any event within seventy-two (72) hours of becoming aware of such breach.

The Processor shall provide sufficient information to allow the Controller to fulfill its notification obligations and shall cooperate fully with the Controller in investigating the breach, mitigating its effects, and preventing future occurrences.

Such notification shall contain a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences, and the measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

In the event that it is not possible to provide all information at the same time, the initial notification shall contain the information then available, and further information shall, as it becomes available, subsequently be provided without undue delay.

The Controller may audit the Processor's compliance with this DPA once per calendar year, with 30 days' prior notice, during business hours. Audits may be conducted by a third party under confidentiality obligations.

The Processor may alternatively provide a recent, third-party audit report or certification.

Processor retains Personal Data only as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements.

Upon expiration or termination of the Agreement, and at the Controller's written request, the Processor shall promptly return all Personal Data to the Controller or securely delete such data unless otherwise required by law to retain it.

The Processor shall provide written confirmation of the deletion upon the Controller's request.

The parties hereby submit to the exclusive jurisdiction of the Delaware Court of Chancery, or if such court lacks subject matter jurisdiction, the United States District Court for the District of Delaware, for the resolution of any disputes, claims, or controversies arising out of or relating to this DPA, including but not limited to disputes concerning the processing of Personal Data, or the performance of the parties' obligations hereunder, subject to the paragraph below.

Notwithstanding the foregoing, to the extent the dispute involves Personal Data of Data Subjects located in the European Economic Area, Switzerland, or the United Kingdom, the governing law and jurisdictional provisions set forth in the Standard Contractual Clauses Module Two, as incorporated into the Data Processing Agreement (Appendix III), shall apply. For disputes arising under the SCCs, the parties agree to the jurisdiction of the courts of the Republic of Ireland, as specified in Clause 17 of the SCCs, and to be governed by the law of the Republic of Ireland, as specified in Clause 18 of the SCCs.

The Parties acknowledge that EU data protection authorities retain their investigative and enforcement powers under the GDPR, regardless of the jurisdiction selected herein.

This DPA may only be amended by a written agreement signed by authorized representatives of both parties, except:

• The Processor may update Annex I (Security Measures) and Annex II (Sub-processors) as provided herein;
• updates required for legal compliance with 30 (thirty) days' notice.